Bug 48786 - Serious security problem in vipw, util-linux 2.10s
Summary: Serious security problem in vipw, util-linux 2.10s
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: util-linux   
(Show other bugs)
Version: 7.1
Hardware: i386 Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-07-11 19:49 UTC by Jack Lloyd
Modified: 2014-03-17 02:21 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-07-18 23:43:05 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2001:095 normal SHIPPED_LIVE : New util-linux packages available to fix vipw permissions problems 2001-07-12 04:00:00 UTC

Description Jack Lloyd 2001-07-11 19:49:41 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.4.3-12smp i686; Nav)

Description of problem:
There is an incredibly serious problem with vipw in util-linux 2.10s on
Redhat 7.1. If you edit the /etc/shadow or /etc/gshadow files, vipw
actually creates a copy in /etc (or somewhere), and lets you edit that.
Afterwards, it copies it back to the normal location. However, it doesn't
set the permissions correctly, resulting in a world-readable /etc/shadow,
allowing brute force attacks.

How reproducible:
Always

Steps to Reproduce:
1. Run vipw
2. Do some random change (insert and delete space, whatever), then save
3. Say yes when promted to edit /etc/shadow
4. Do another random change
5. /etc/shadow now has mode 644


Actual Results: 
[root@caliper /root]# ls -l /etc/shadow
-rw-------    1 root     root          847 Jul 11 15:42 /etc/shadow
[root@caliper /root]# vipw
<here I'm editing /etc/passwd>
You are using shadow passwords on this system. Would you like to edit
/etc/shadow now [y/n]? y
<here I'm editing /etc/shadow>
[root@caliper /root]# ls -l /etc/shadow
-rw-r--r--    1 root     root          847 Jul 11 15:48 /etc/shadow
[root@caliper /root]# 

Expected Results:  /etc/shadow and /etc/gshadow should always be 600.

Additional info:

At first I thought that vipw was just ignoring my umask, which would be bad
enough but at least it's an easy fix. (make sure root's umask is always
077). However, even with a umask of 077, the file is created mode 644.

This problem was also observed on a Mandrake 8.0 system with util-linux
2.11d

Comment 1 Bill Nottingham 2001-07-12 15:31:02 UTC
working on it, thanks!

Comment 2 Bill Nottingham 2001-07-19 00:23:04 UTC
Fixed in the errata.


Note You need to log in before you can comment on or make changes to this bug.